On June 5, 2025, GreyNoise, security analyst observed a sharp increase in attempts to access at Apache Tomcat Manager systems, with much of traffic traced back to hosting providers like DigitalOcean. Even though no specific exploit has been confirmed, the activity indicates a pattern of probing for weaknesses in publicly accessible setups.
On that day alone, 295 distinct IPs were identified as participating in these attacks, all of which were marked as malicious actors. In the following 24-hour period, an additional 188 IPs were involved, with a majority traced to the U.S., U.K., Germany, the Netherlands, and Singapore.
GreyNoise reported that 298 distinct IPs have been logged attempting to access Tomcat Manager interfaces. Within the last 24 hours 246 of these IPs flagged as malicious, have been traced to familiar geographies, including the U.S., U.K, Spain, Germany, India, and Brazil.
Experts urge organizations to review who has access enforce strict login rules, and keep their devices regularly updated with the latest patches.
At the same time, researchers from Bitsight have found over 40,000 internet-connected security cameras, viewable online, with heavy concentrations in the U.S., Japan, Austria, Czechia, and South Korea. Most others in tech, media, and government.
These cameras, often in homes, offices, transit, and factories may unintentionally expose sensitive footage, posing risk like spying, extortion, or stalking.
Security experts advised users to change default credentials, limit remote access via firewalls or VPNs, and regularly update firmware.
As researcher Joao Cruz warned, the ease of setting up these devices continues to make them a security liability.
